Re: Regression when writing to /proc/<pid>/attr/

[Kees Cook <keescook@chromium.org>]

On Mon, Jun 07, 2021 at 04:22:45PM +0200, Christian Brauner wrote:
> Hey Linus,
> hey Kees,
> 
> This morning I got a report about regressions when running containers
> using lsm profiles when spawning a new process into a container. Andrea
> bisected this to: bfb819ea20ce ("proc: Check /proc/$pid/attr/ writes
> against file opener")

Aaagh.

> Spawning a new process into a running container is a bit messy due to
> accumulated legacy cruft and here's one way we're currently doing it.
> Parent process -> immediate process -> attached process: the
> intermediate process is needed to attach to the container's namespaces
> and then we fork so that the "attached process" is a proper member of
> the pid namespace of the container, i.e. a child of PID 1 in the new pid
> namespace.
>
> The IPC mechanism is:

In here, "initial" means "parent", "transient" means "intermediate"?

> 
> /* 
>  * IPC mechanism: (X is receiver)
>  *   initial process        transient process   attached process
>  *        X           <---  send pid of
>  *                          attached proc,
>  *                          then exit
>  *    send 0 ------------------------------------>    X
>  *                                              [do initialization]
>  *        X  <------------------------------------  send 1
>  *   [add to cgroup, ...]
>  *    send 2 ------------------------------------>    X
>  *						[set LXC_ATTACH_NO_NEW_PRIVS]
>  *        X  <------------------------------------  send 3
>  *   [open LSM label fd]

As in, "initial process" is opening "attached process"'s attr fd?

>  *    send 4 ------------------------------------>    X
>  *   						[set LSM label]

Does "initial" send the fd to "attached"?

>  *   close socket                                 close socket
>  *                                                run program
>  */
> 
> With your fix Kees, the last step where the attached process writes its
> own lsm profile fails with EPERM where it would succeed before. That
> means v5.13 breaks all container users currently where it has worked
> continuously before. :)

I can only understand this if the fd is passed to the writer, or the
writer opens, changes creds, and then writes?

> The LSM profile is written after we've become root in our new namespace
> 
> 	if (!lxc_drop_groups())
> 		goto on_error;
> 
> 	if (options->namespaces & CLONE_NEWUSER)
> 		if (!lxc_switch_uid_gid(ctx->setup_ns_uid, ctx->setup_ns_gid))
> 			goto on_error;
> 
> 	if (attach_lsm(options) && ctx->lsm_label) {
> 		/* Change into our new LSM profile. */
> 		ret = ctx->lsm_ops->process_label_set_at(ctx->lsm_ops, fd_lsm, ctx->lsm_label, on_exec);
> 		if (ret < 0)
> 			goto on_error;
> 
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> 
> 		TRACE("Set %s LSM label to \"%s\"", ctx->lsm_ops->name, ctx->lsm_label);
> 	}
> 
> So the effective ids of the process writing the lsm profile are
> different from the ids of the process that opened the lsm fd in this
> case.

I'm assuming the issue is the latter (open, drop privs, write). And
I assume fsuid/fsgid has changed? (i.e. cred_fscmp() couldn't be used
either?)

-- 
Kees Cook